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ABSTRACT 

This  document  defines  the  maintainability  block  diagrams  and 
math  models  and  the  reliability  block  diagrams  for  the  "Sink 
Rate  Delay/ Improved  In-Water  Stability  System  for  Helicopters" 
(Helicopter  Flotation  System)  (HFS) . These  diagrams  and 
models  serve  as  a basis  for  estimating  the  effectiveness  of 
the  Helicopter  Flotation  System  as  a survival  system  and  will 
be  used  in  allocation,  prediction,  and  failure  modes  and 
effects  analysis. 
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1.  MAINTAINABILITY  BLOCK  DIAGRAM  AND  MATHEMATICAL  MODEL 

The  Helicopter  Flotation  System  (HFS)  installation,  by  its 
nature  as  survival  equipment,  is  not  normally  exercised  during 
routine  flight  operations  and  hence  its  impacr  on  overall 
system  operational  readiness  may  be  considered  as  insignificant. 
This  parameter,  considered  herein  as  synonymous  with  availa- 
bility, is  assessed  by  the  following  model  and  later  quantified 
as  a part  of  maintainability  allocations  and  predictions.  Pre- 
ventive or  scheduled  maintenance  comprises  the  major  portion 
of  the  installation  maintenance  burden  and  is  addressed  at 
both  organizational  and  intermediate  levels  of  maintenance  by 
the  model.  However,  preventive  maintenance  at  the  intermediate 
level  is  not  presently  anticipated.  Corrective  maintenance 
is  treated  in  a like  manner  and  as  a result  the  block  diagram 
and  maintainability  model  can  be  used  to  determine  the  character 
and  magnitude  of  the  HFS  installation  maintenance  downtimes 
and  maintenance  support  demands  at  the  organizational  and 
intermediate  levels  of  maintenance.  - ■ - 

2.  HFS  HARDWARE  BREAKDOWN  STRUCTURE  (HBS) 

The  HBS  affords  a graphic  display  and  interrelationship  of 
the  end  item  subdivided  into  successively  smaller  units.  Each 
unit  is  identified  with  a summary  number  conforming  to  the 
requirements  of  MIL-STD-780,  "Work  Unit  Codes  and  Maintenance 
Engineering  Analysis  Control  Numbers  (JJlEACNS)  tor  Aeronautical 
Equipment;  Uniform  Numbering  System".  This  number  is  used  for 
Logistic  Support  Analysis  (LSA)  identification  during  design 
and  development,  and  for  maintenance  reporting  during  opera- 
tional use,  thus  closing  the  loop  of  Allocation,  Prediction, 
Demonstration  and  Evaluation.  _ . 

Figure  1 shows  the  HFS  installation  interfaced  with  a segment 
of  the  existing  HBS  of  the  H-46  helicopter  as  contained  in 
NAVAIR  01-250HD-8,  "Work  Unit  Code  Manual  H-46  Aircraft".  As 
indicated,  the  HFS  as  presently  envisioned  consists  of  three 
major  installations  ; Nose  Flotation,  Stub  Wing  Flotation  and 
Controls.  With  the  exception  of  the  access  panels,  the 
Weapon  Replaceable  Assemblies  (WRA ' s ) of  the  flotation  installa- 
tion are  identical.  The  added  electrical  components  and  wiring 
are  considered  in  this  model,  recognizing  that  operational 
maintenance  would  be  reported  under  the  Electrical  Work  Unit 
Code  of  42,000.  Any  of  the  HFS  summary  numbers  may  be  used 
to  exercise  the  maintainability  model. 
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3.  HFS  MAINTAINABILITY  BLOCK  DIAGRAM  . - . - -- 

The  top  level  maintainability  block  diagram  for  the  HFS  is 
shown  in  Figure  2.  This  diagram  indicates  what  maintenance 
must  be  performed  and  why  it  is  performed.  Applying  this 
rationale  to  lower  levels  of  installation  indenture  results 
in  the  definition  of  maintainability  analysis  work  packages, 
i.e.  how  can  maintainability  techniques  reduce  the  support 
burden  of  required  maintenance? 

4.  planned  maintenance 

The  planned  maintenance  block  of  the  diagram  refers  to  the 
planned  maintenance  requirements  of  the  Naval  Aviation 
Maintenance  Program  (NAMP)  as  defined  in  Chapter  11,  Volume  II 
of  OPNAVINST  4790. 2A.  The  HFS  installation  support  is  based 
on  the  requirements  of  the  NAMP.  The  planned  maintenance 
requirements  of  the  HFS  with  their  rationale  are  defined  in 
the  following  paragraphs.  - - 

4.1  TURNAROUND  INSPECTION 

This  inspection  is  conducted  to  ensure  the  integrity  of  the 
HFS  for  flight  and  to  detect  degradation  that  may  have 
occurred  during  the  previous  flight.  The  turnaround  inspection 
is  performed  prior  to  the  first  flight  of  each  day  and  after 
every  flight.  Since  the  HFS  has  a built  in  test  capability 
which  is  exercised  as  part  of  the  pilot's  preflight  check 
list,  the  turnaround  inspection  is  limited  to  an  external 
visual  inspection  of  the  flotation  installations  fbr  security 
amd  obvious  damage.  - - - - 

4.2  DAILY  INSPECTION  _ ~ 

This  inspection  is  conducted  to  a greater  depth  than  the 
turnaround  inspection.  In  addition  to  security  and  obvious 
damage,  components  are  inspected  for  corrosion,  wear,  and 
overall  condition.  The  daily  inspection  is  performed  prior 
to  the  first  flight  of  the  day  and  may  be  considered  valid 
for  a period  of  72  hours,  provided  that  no  flight  occurs  during 
this  period  and  no  maintenance  other  than  servicing  has  been 
performed. 

4.3  PHASED  INSPECTION 

The  H-46  helicopter  phased  inspection  is  a series  of  four 
related  inspections  that  are  performed  sequentially  at  100  ' 

hour  intervals.  One  of  these  phases  shall  include  a comprehensive! 
inspection  of  the  HFS  installation.  This  inspection  will  check  j 

the  condition  and  operation  of  all  HFS  components  to  the  extent  i 

allowed  without  inflating  the  floats.  The  floats  shall  be  so  ! 

designed  and  constructed  that  inspection  will  not  be  required 
for  24  month  periods.  . j 
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5.1  MAINTENANCE  DOWNTIME 

HFS  prsvontivo  maintenance  is  performed  concurrent  with  axis  tiny 
H-46  preventive  maintenance  requirements  and  hence  has  no  effect 
on  aircraft  downtime.  IIFS  Mean  Maintenance  Downtime  (MMDT) 
and  Maintenance  Downtime  per  Flight  Hour  (DT/FH)  are  computed 
as  follows; 

MMDT  = ((Repair  ^ * Repair  ET)  + (Replace  X * Replace  ET)) 
((Repair  X + Replace  X)*60) 

DT/FH  = ((Repair  X * Repair  ET)  + (Replace  X * Replace  ET)) 

a000*60) 

5.2  ORGANIZATIONAL  MAINTENANCE  MANHOURS  PER  FLIGHT  HOUR 
(ORG  MH/FH) 

ORG  MH/FH  is  a summation  of  preventive  (PREV  ORG  MH/FH)  and 
corrective  (CORR  ORG  MH/FH)  times,  and  is  computed  as  follows; 

PREV  ORG  MH/FH  = ((Turnaround  X * Turnaround  ET  * Turnaround 

Crew)  + (Daily  X * Daily  ET  * Daily  Crew)  + 
(Phase  X * Phase  ET  * Phase  Crew))/d000*60) 

CORR  ORG  MH/FH  = ((Repair  X * Repair  ET  * Repair  Crew)  + 

(Replace  X * Replace  ET  * Replace  Crew))/ 
^aOGO-60) 

ORG  MH/FH  = PREV  ORG  MH/FH  + CORR  ORG  MH/FH  ' “ 

5.3  INTER14EDIATE  MAINTENANCE  MANHOURS  PER  FLIGHT  HOUR  

(INT  MH/FH) 

INT  MH/FH  is  also  a summation  of  preventive  and  corrective 
time,  and  is  computed  as  follows: 

INT  MH/FH  = ((Prev  X * Prev  ET  * Prev  Crew)  + (Repair  WRA  X 
* Repair  WRA  ET  * Repair  WRA  Crew))/il000*60) 

6.  SUMMARY  OF  RELIABILITY  ANALYSIS 

The  system  was  analyzed  for  flight  safety,  mission,  and  main- 
tenance malfunction  reliabilities.  This  analysis  included 
predictions,  allocations.  Failure  Mode  and  Effects  Analysis, 
and  test  program  design.  All  numerical  reliability  require- 
ments were  met,  and  no  verifiable  single  failure  points  were 
found. 
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6.1  GENERAL  DISCUSSION  . . 

Three  types  of  Reliability  have  been  analyzed: 

a.  Flight  Safety  Reliability  . ■* 

b.  Mission  Reliability  f-  > " 

c.  Maintenance  Malfunction  Reliability  . ’ _ 

Flight  Safety  Reliability  is  the  probability  that  no  hardware 
failure  will  cause  a catastrophic  accident.  For  the  HFS  stabilit; 
system  this  is  essentially  equivalent  to  the  deployment  of  the 
bag(s)  while  flying. 

For  this  stability  system.  Mission  Reliability  is  defined  as 
the  probability  that  the  bags  would  successfully  deploy  when- 
ever the  system  was  actived. 

Maintenance  Malfunction  Reliability  is  the  probability  of  no 
hardware  malfunction  requiring  maintenance  action.  - 

The  simultaneous  analysis  of  all  three  types  of  Reliability  is 
essential  to  truly  optimize  the  system.  For  example,  additional 
levels  of  redundancy  tend  to  improve  the  first  two  types  of 
Reliability,  but  Maintenance  Malfunction  Reliability  is  degraded. 

6.2  GROUND  RULES 


The  following  ground  rules  were  used  for  design  evaluation: 

a.  No  single  failure  shall  cause  a flight  safety  loss. 

b.  No  single  failure  shall  cause  a mission  loss. 

c.  The  probability  of  flight  safety  loss  shall  be  in  the 
"remote"  category  (Rfs  greater  than  .9999999  or  about  10 
million  hours  between  hardware  failures  affecting  safety). 

d.  Mission  Reliability  shall  equal  or  exceed  .90  for  439.65 
flight  hours  (18  calendar  months)  under  field  conditions. 

e.  Mission  Reliability  shall  equal  or  exceed  .98  for  one  hour 
bench  tests. 

f.  The  system  shall  have  a 90';^  probability  of  passing  tests 
designed  to  demonstrate  the  requirements  of  ground  rules 
4 and  5 at  the  90%  confidence  level. 

g.  Subject  to  the  above  constraints.  Maintenance  Malfunction 
Reliability  shall  be  maximized. 
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6.3  DESIGN  CHANGE  RATIONALE 

Preliminary  reliability  analysis  indicated  that  the  system  as 
defined  in  D210-11003-1  was  not  capable  of  meeting  the  above 
ground  rules.  Accordingly,  the  design  was  modified  to  that 
shown  in  the  schematic  of  Figure  4.  The  following  are  the 
rationale  for  these  changes : 

a.  The  preliminary  Failure  Mode  and  Effects  Analysis  identified 
several  wiring  single  failure  points  for  both  flight  safety 
and  mission  (e.g.  opens,  shorts  to  power,  and  shorts  to 
ground) . 

b.  The  deploy  relay  (Kl)  was  a single  failure  point  for  both 
flight  safety  and  mission  reliabilities.  The  preliminary 
reliability  prediction  indicated  that  single  squibs  - even 
"Hi-rel"  squibs  - could  not  meet  the  "bench"  mission  reli- 
ability requirement. 

c.  The  control  circuitry  prior  to  relay  Kl  was  vulnerable  to 
EMI  (electro-magnetic  interference)  thus  defeating  the 
intent  of  the  high  amperage  squibs. 

7.  RELIABILITY  BLOCK  DIAGRAMS  --  • - 

Figures  5,  6,  7,  and  8 are  the  Reliability  Block  Diagrams  for 
Maintenance  Malfunction,  "bench"  Mission,  "field"  Mission, 
and  Flight  Safety  Reliabilities  respectively.  Unless  otherwise 
noted,  all  numbers  are  "effective"  or  "average"  failure  rates 
in  failures  per  million  hours.  Numbers  such  as  .0(6)123  are 
- a short  form  for  .00000000123  (likewise  .9(5)123  = .99999123). 
MIL-STD-756  conventions  are  applicable. 


8.  RELIABILITY  PREDICTIONS 

Figure  9 is  a computerized  reliability  prediction  for  the 
four  different  types  of  reliability.  These  predictions  utilize 
the  logical  relationships  (redundancies)  shown  in  thi  Reliability 
Block  Diagrams.  All  numbers  are  failure  rates  in  failures  per 
million  hours.  Converted  to  reliabilities,  the  system  values 
are  as  follows: 


.. 

Failure 

Rate 

Time 

(Hrs) 

Predicted 

Reliability 

Required 

Reliability 

Maintenance  Malfunction 
"bench"  Mission 
"field"  Mission 

Flight  Safety 

1533.100 
426.913 
.977 
.0(8) 175 

1 

1 

439.65 

439.65 

.9(2)846 

.9(3)573 

.9(3)570 

.9(12)226 

.98 

.90 

.9(7) 

, 
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LOTATION  SYSTEM  RELIABILITY  BLOCK  DIAGRAM 

MISSION  - BENCH  T = I hour  | — 


FLOTATION-SYSTEM  RELIABILITY-BLOCK  DIAGRAM 

MISSION  - FIELD  T = 439.65  hours  (l8  mo)  | — 
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The  Maintenance  Malfunction  value  indicates  an  average  time  of 
652  flight  hours  between  maintenance-requiring  malfunctions. 

The  remaining  reliabilities  exceed  their  requirements  by  a mar- 
gin big  enough  to  assure  90%  probability  of  passing  a 90?!,  con- 
fidence test.  These  margins  are  also  large  enough  to  assure 
that  a worst  case  (-3  sigma)  deviation  would  still  meet  the 
requirements.  .....  . ... 

9.  RELIABILITY  ALLOCATIONS 

Figure  10  is  a computerized  reliability  allocation  for  the  four 
different  types  of  reliability.  These  allocations  utilize  the 
logical  relationships  (redundancies)  shown  in  the  Reliability 
Block  Diagrams.  All  numbers  are  failure  rates  in  failures  per 
million  hours.  If  the  system  level  predicted  failure  rate  is 
less  than  the  requirement,  the  program  allocates  the  predicted 
values  to  the  components.  If  the  system  level  predicted  failure 
rate  is  greater  than  the  requirement,  the  program  allocates  the 
required  value  to  the  components  in  proportion  to  their  relative 
contribution  to  the  system  level  prediction  (proportioned  burden 
apportionment). 

10.  FAILURE  MODE  AND  EFFECTS  ANALYSIS  (FMEA)  ' 

Figure  11  is  a computerized  Failure  Mode  and  Effects  Analysis 
(FMEA).  "Opens",  "shorts",  "shorts  to  power",  and  "shorts  to 
ground"  were  analyzed.  Since  both  inputs  and  outputs  were 
analyzed,  wiring  failures  are  also  covered.  After  redesign,  no 
mission  single  failure  points  were  identified.  Auto-ignition 
of  the  squibs  would  be  a flight  safety  single  failure  point, 
but  we  were  unable  to  identify  any  recorded  instance  of  this 
mode.  The  basic  technique  for  protection  against  shorts  to 
power  and  shorts  to  ground  is  switch  disconnection  of  both 
power  and  ground  connections . This  technique-in  conjunction 
with  twisted  pair  power/ground  wiring-gives  better  protection 
against  EMI  firing  than  is  possible  with  shielded  wiring. 


11.  RELIABILITY  TEST  PROGRAM 

The  requirements  for  this  program  do  not  specifically  call  for 

a Reliability  Demonstration  Test.  However,  they  do  say  that: 

a.  Each  system  shall  be  designed  for  a probability  of  success 
(reliability)  of  .98  at  the  90?o  confidence  level  for  bench 
testing. 

b.  Each  helicopter  system  shall  be  capable  of  demonstrating  a 
reliability  of  .90  at  the  90?&  confidence  level  when  com- 
pletely installed  in  the  subject  helicopter. 
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N0TE:ALL  failure  rates  * FAILURES  PER  PILLION  HOURS 


MM  FR  : MAINTENANCE  MALFUNCTION  RATE 

Ml  FR  : FIELD  MISSION  RELIABILITY  FAILURE  RATE 

M2  FR  : BENCH  MISSION  RELIABILITY  FAILURE  RATE 

FS  FR  : FLIGHT  SAFETY  RELIABILITY  FAILURE  RATE 
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Failure  rate  allccation 
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These  require  that  a test  program  be  designed  so  that  the 
system  would  be  capable  of  passing  such  a test  it  were  run. 
MIL-STD-781  gives  test  plans  vi/hich  demonstrate  at  90^4  (and 
other)  levels  of  confidence,  but  this,  by  itself,  is  insufficient 
to  respond  to  the  above  requirements ! The  reason  is  that  high 
confidence  tests  (such  as  MIL-STD-781)  are  so  powerful  in 
rejecting  bad  equipment  (less  than  the  requirement)  that  it 
also  has  a high  probability  of  rejecting  good  equipment!  For 
example  take  requirement  a.  above  (R  of  .98  at  90%  confidence). 
Figure  9 shows  that  if  you  were  to  conduct  a test  of  114  com- 
ponents (or  systems)  with  no  failures,  you  would  demonstrate 
a reliability  of  .98  at  the  90%  confidence  level.  Now  suppose 
you  entered  this  test  with  114  components  with  a true  reliability 
of  exactly  .98?  You  would  find  that  you  have  only  a 10%  chance 
of  passing  the  test.*  In  other  words,  if  you  repeated  this 
test  a number  of  times,  an  average  of  9 out  of  10  tests  would 
"flunk”  (have  one  or  more  failures).  It  turns  out  that  just 
to  have  a 50-50  chance  of  passing  the  test,  you  must  go  into 
the  test  with  a true  reliability  of  .99394,  even  though  the 
requirement  was  only  .98.  In  fact,  in  order  to  have  a good 
(e.g.  90%)  probability  of  passing  the  test,  you  must  go  into 
the  test  with  a true  reliability  of  .999076!  In  order  to 
better  understand  what  this  means,  consider  the  "mean  time 
between  failure"  or  MTBF.  A reliability  of  .98  for  a one  hour 
mission  is  equivalent  to  an  MTBF  of  50  hours.  A reliability  of 
.99394  is  equivalent  to  an  MTBF  of  164  hours!  A reliability  of 
.999076  is  equivalent  to  an  MTBF  of  1,081  hours!  Thus,  the 
true  MTBF  must  be  22  times  greater  than  the  required- just  to 
have  a reasonably  good  probability  of  passing  the  test!  The 
probability  of  not  passing  the  test  is  usually  referred  to  as 
"producer's  risk"  (although  it  should  be  realized  that  in  the 
long  run,  the  consumer  actually  pays  for  it).  Thus , ^producer ' s 
risk  is  the  probability  of  rejecting  good  equipment,.”*  One  minus 
the  confidence  (as  a decimal)  is  equivalent  to  "consumer's 
risk"  ( risk  of  accepting  bad  equipment) . The  convention  is 
to  set  up  a "fair"  testing  program  (consumer's  risk  equals 
producer's  risk  or  probability  of  passing  equals  confidence), 
and  Figure  12  shows  the  results  for  requirement  a.  Note  that 
lay  increasing  the  number  of  allowable  failures  (and  the  number 
of  tests!)  the  "true"  or  designed  reliability  can  be  lowered. 
Obviously  there  is  a practical  limit  to  this  approach.  Even 
if  wc  were  to  increase  the  number  of  allowable  failures  to  52, 
the  design  reliability  would  still  have  to  be  .9859  or  an  MTBF 
of  70  hours  which  is  still  142?i  of  the  required  MTBF  of  50  hours. 
Furthermore,  the  destructive  testing  of  3,121  systems  is  probably 
impractical  from  both  the  time  and  cost  standpoint.  Thus  a 
balance  must  be  struck  between  the  designed  (true)  reliability 
and  the  number  of  tests.  If  we  use  the  reliability  prediction 


* The  theoretical  error  in  this  statement  is  recognized  but 
is  not  significant  to  the  conclusions  developed. 
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as  an  estimate  o"  the  true  reliability,  the  bench  mission  pre- 
diction of  R = .‘79573  allows  selection  of  the  "zero  failure 
in  114  tests"  tes  program.  If  we  allow  for  an  "order  of 
magnitude"  error  :n  the  prediction;  R = .99573,  the  test  pro- 
gram must  become  "3  or  less  failures  in  333  tests"  because 
this  is  the  smallest  program  with  a 90%  probability  of  passing. 
It  should  be  noted  that  this  is  the  primary  reason  why  the 
design  was  not  froz.’n  when  the  prediction  first  reached 
R = .98.  Figure  13  .Is  an  equivalent  table  for  the  "field" 
mission  and  the  predicted  value  of  R = .999570  allows  the 
selection  of  the  "zeio  failure  in  22  tests"  test  program.  The 
time  value  of  439.65  flight  hours  was  based  on  18  months  on 
each  of  275  aircraft-- he  test  being  an  actual  firing  of  the 
system  just  prior  to  refurbishment.  This  approach  would 
■ assure  testing  under  field  conditions  and  avoid  the  cost  of 
special  purchases  and  i lights  strictly  for  test  purposes. 

11.1  DEVELOPMElir  (PR0BI.3M  IDENTIFICATION)  TESTING 

The  primary  reliability  -.esting  progrsun  will  be  problem  identi- 
fication testing.  The  pu'.pose  of  this  type  of  testing  is  con- 
firmation of  failure  effects  as  identified  by  the  FMEA. 
Specifically,  each  FMEA  fa. lure  mode  is  artificially  induced 
into  the  system  and  the  resulting  system  effect  is  noted. 

In  addition,  system  level  interface  failures  are  induced  to 
confirm  the  logic  of  the  Reliability  Block  Diagrams.  Due  to 
the  artificial  creation  of  i allure  modes,  no  attempt  will  be 
made  to  calculate  failure  ra'-.es  based  on  this  data. 
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